b'                         OFFICE OF INSPECTOR GENERAL\n                       CORPORATION FOR NATIONAL AND\n                            COMMUNITY SERVICE\n\n\n\n\n                             OIG Letter Report Regarding\n                       Assessment of Project Risks Related to the\n                   Corporation for National and Community Service\'s\n                     Development of a Grants Management System\n\n                            OIG Audit Report Number 02-22\n                                  February 4,2002\n\n\n\n\n                                         Prepared by:\n\n                                         KPMG LLP\n                                     2001 M Street, N.W.\n                                    Washington, D.C. 20036\n\n                    Under the Corporation for National and Community Service\n                                 Purchase Order # 200107180002\n                                  GS Contract # GS-23F-8127H\n                                       Task Order # 00-01\n\n\n\n\nThis report was issued to Corporation management on March 29,2002. Under the laws and\nregulations governing audit follow up, the Corporation is to make final management\ndecisions on the report\'s findings and recommendations no later than September 30, 2002,\nand complete its corrective actions by March 29, 2003. Consequently, the reported findings\ndo not necessarily represent the final resolution of the issues presented.\n\x0c                Letter Report Regarding Assessment of Project Risks Related\n                 to the Corporation for National and Community Service\'s\n                       Development of a Grants Management System\n\n\nOIG engaged KPMG LLP to prepare a project risk management assessment of the Corporation\'s\ncontractual initiative to develop an integrated grants management system (known as E-SPAN)\ncapable of providing comprehensive financial information for all grants and cooperative\nagreements. This independent risk assessment of the project\'s management practices employed a\nfive-part methodology that considered: (1) assessing the inherent risks; (2) understanding the\ncontrols in place; (3) assessing the effectiveness of the controls; (4) identifying control\nweaknesses; and (5) deducing and reporting residual risk. OIG has reviewed KPMG\'s assessment\nmethodology, findings and recommendations and concurs with them.\n\nThe assessment concluded that the Corporation has adequately managed the E-SPAN project and\nfound that the current level of residual risk is low except in a few medium risk areas. The analysis\nidentified three areas that require additional management attention and makes the following\nrecommendations:\n\n        (1) The Corporation should develop or adopt a specific quality assurance and testing\nmethodology for the new E-SPAN system that is consistent with applicable standards and\naccepted best practices. It should also develop performance criteria and guidelines that specify\nhow a third-party provider of quality assurance and testing services will be required to carry out its\nactivities, document its observations, and communicate its recommendations.\n\n        (2) The Corporation should document criteria for testing specific application security and\ninternal controls to be used for both initial and on-going quality assurance and validation testing of\nE-SPAN.\n\n       (3) The Corporation should develop a system life cycle management strategy and plan for\noperation and maintenance of the E-SPAN system throughout its expected operational lifespan\nwhile personnel with detailed knowledge of the system design are still available.\n\nOIG understands that the Corporation plans to complete the development of E-SPAN and achieve\ninitial operational capability of the system in April 2002. As required by the Conference Report\non the Corporation\'s appropriations for Fiscal Year 2001 under the National Community\nVolunteer Act, OIG will participate in the certification of the new grants management system after\nE-SPAN\'S development and testing are completed.\n\x0c                                  Office of Inspector General\n                        Corporation for National and Community Service\n\n  Assessment of Project Risks Related to the Corporation for National and Community\n               Service\'s Development of a Grants Management System\n\n                                             Table of Contents\n\n\n\n\nAPPENDIX A - OUR UNDERSTANDING OF THE GRANTS MANAGEMENT\n    PROCESS CXJRRENT STATE ................................................................................. A- 1\n\nAPPENDIX B - OUR UNDERSTANDING OF THE GRANTS MANAGEMENT\n    fmsTEM DEVELOPMENT PROJECT ..................................................................B- 1\n\nAPPENDIX C - ASSESSMENT SUMMARY FOR THE GRANTS MANAGEMENT\n    SYSTEM DEVELOPMENT PROJECT ................................................................... C- 1\n\nAPPENDIX D - RESPONSE FROM THE CORPORATION FOR NATIONAL\n    AND C O ~ M U N I T YSERVICE ............................................................................... D- 1\n\x0c             2001 M Street, NW                                             Telephone 202 533 3000\n             Washington. DC 20036                                          Fax 202 533 8500\n\n\n\n\nFebruary 4, 2002\n\nInspector General\nCorporation for National and Community Service\nWashington, DC 20525\n\nAt your request, KPMG LLP (KPMG) performed an assessment of project management\nrisks associated with the Corporation\'s initiative to develop a new grants management\nsystem, E-SPAN. This assessment is a precursor to the ultimate certification of the\nsystem that must be performed in accordance with the conference report on Public Law\n106-377. (The conference report requires the Corporation to certify, with the Inspector\nGeneral\'s concurrence, that an adequate cost accounting and grants management system\nhas been acquired and implemented, and that it conforms to all federal requirements.)\nThis project risk assessment focused on understanding risks that would interfere with the\nCorporation\'s ability to complete the acquisition and implementation of a new grants\nmanagement system, and. consequently, the ability to certify a new system, as required\nby the Congress.\n\nIn July 2000 the Corporation engaged STR LLC, a professional services company, to\nassist the Corporation in designing a grants management system. In .January 2001 the\nCorporation again contracted with STR to develop and implement the new grants\nmanagement software. The Corporation\'s Chief Information Officer (CIO), in a\nmemorandum dated February 2, 2001, requested input on the design of the grants\nmanagement system from the Office of Inspector General (OIG). OIG subsequently\nengaged KPMG to conduct an independent assessment of the project\'s risks.\n\nThis assessment focused on understanding inherent project risks, the effectiveness of\ncontrols, and the existence of risks that had a significant effect on past performance and\nwill influence successful development and implementation of the new system, E-SPAN.\n\nResults in Brief\n\nKPMG reviewed documentation provided by the Corporation and met with Corporation\nmanagement and STR personnel. KPMG feels that overall the E-SPAN project is\nadequately managed, and residual risk is currently low, except in a few medium risk\nareas. The areas that need heightened attention are all related to future stages in system\ndevelopment and implementation. They are associated with software integration testing,\nquality assurance practices and life cycle planning for the E-SPAN system:\n\n\n\n\n1111           aKPMG\n                 mmiber\n                     LLP at KPMG\n                         KPMG  LLP a U S lhmtted\n                                 Inleinalonal. a Swlsi    partnership, s\n                                                  a b t yassocatlon\n\x0cOffice of Inspector General\nCorporation for National Service\nPage 2\n\n   The Corporation does not have a specific methodology nor documented performance\n   criteria for quality assurance and validation testing. It is recommended that the\n   Corporation develop or adopt a specific quality assurance and testing methodology\n   for the new E-SPAN system that is consistent with applicable standards and accepted\n   best practices. It is also recommended that performance criteria and guidelines be\n   developed that specify how a third-party provider of quality assurance and testing\n   services will be required to carry out its activities, document its observations and\n   communicate its recommendations.\n   The Corporation has not documented criteria for testing and re-testing specific data\n   integrity controls and application security controls to be used during the phased\n   implementation of the new E-SPAN system and also at later points in the system\'s\n   life cycle. It is recommended that the Corporation document criteria for testing\n   specific application security and internal controls to be used for both initial and on-\n   going quality assurance and validation testing of E-SPAN.\n   The Corporation has not documented a system life cycle maintenance and operation\n   plan for E-SPAN beyond the initial three months of system operation. It is\n   recommended that the Corporation develop a system life cycle management strategy\n   and plan for operation and maintena~ceof the E-SPAN system throughout its\n   expected operational lifespan while personnel with detailed knowledge of the system\n   design are still available.\n\nProject Scope, Objectives, and Methodology\n\nScope: KPMG assessed the project management processes and risks associated with the\nCorporation\'s initiative to develop and implement a new grants management system, E-\nSPAN. E-SPAN is being developed by a contractor, STR LLC, under the supervision of\nCorporation management, and with the involvement of Corporation personnel.\n\nThis assessment was a precursor to the ultimate certification of the system that must be\nperformed in accordance with the conference report on Public Law 106-377. The\nconference report requires the Corporation to certify, with the Inspector General\'s\nconcurrence, that an adequate cost accounting and grants management system has been\nacquired and implemented, and that it conforms to all federal requirements.\n\nObjective: The objective of the assessment was to identify and assess project\nmanagement risk in the following areas:\n\n1 . Project management control processes, techniques and methodologies;\n2. The inherent risks that could adversely impact the successful completion of the new\n    grants management system; and\n3. The Corporation\'s actions to mitigate those risks.\n\x0cOffice of Inspector General\nCorporation for National Service\nPage 3\n\n\nMethodology: The assessment relied on KPMG\'s standard methodology for conducting\nproject risk assessments. KPMG\'s methodology is based on and compatible with various\nwidely accepted standards, such as Control Objectives for Information and Related\nTechnology (COBIT), the Project Management Institute\'s Project Management Body of\nKnowledge, the Software Engineering Institute\'s capability maturity models, and\nappropriate National Institute of Standards and Technology (NIST) standards.\n\nTo conduct the assessment, KPMG gained an understanding of the current grants\nmanagement environment and the E-SPAN project in the following areas: background\ninformation, project management, business processes, people and skills, and technology\nand data.     Thirteen management control areas, sometimes referred to as project\nmanagement domains, were reviewed. KPMG employed a five-part project risk\nassessment methodology. Its steps included: (1) assessing the inherent risk; (2)\nunderstanding the controls in place; (3) assessing the effectiveness of the controls; (4)\nidentifying control weaknesses; and (5) deducing and reporting residual risk back to the\nCorporation. Details about each activity are presented below:\n\n   Assessing the inherent risk associated with the E-SPAN project entailed evaluating\n   risks that existed prior to the implementation of controls. The assessment of inherent\n   risk relied on the project kickoff meeting, initial discussions with Corporation\n   management, preliminary reviews of documentation, and knowledge gained from\n   previously delivering services to the Corporation.\n   Understanding controls in place entailed determining how the Corporation and STR,\n   its contractor, control the direction and progress of the E-SPAN project.\n   Understanding controls focused on domains that are commonly understood to be part\n   of disciplined project management infrastructure and will have an impact on how well\n   scope, time, requirements, configuration, and quality are controlled.\n   Assessing the effectiveness of controls included reviewing the extent to which project\n   management activities succeed at delivering results to the satisfaction of Corporation\n   management.\n   Identifying control weaknesses involved observing where project management\n   practices showed a gap, and the gap could have significant potential for negatively\n   impacting the success of the development and implementation of the new grants\n   management system.\n   Deducing and reporting residual risk back to the Corporation involved consolidating\n   the understanding of controls and control weaknesses into a set of overall\n   observations and recommendations. A risk rating of high, medium, or low was\n   assigned to each pair of observations and recommendations to indicate the level of\n   residual risk. In this rating scheme, high-risk issues, of which there were none,\n   require immediate action; medium-risk issues deserve heightened management\n\x0cOffice of Inspector General\nCorporation for National Service\nPage 4\n\n   attention; and low-risk issues can be dealt with through standard operating\n   procedures.\n\nSummary of Findings and Recommendations\n\nThe assessment resulted in three medium risk findings that are discussed below. These\nfindings are also included in Appendix C, a summary of all observations and\nrecommendations.\n\n   Finding 1: Quality Assurance and Testing. The Corporation has worked closely\n   with its contractor, STR LLC, to perform ongoing testing of E-SPAN during the\n   system\'s development. In addition, Corporation management has stated they plan to\n   contract with a third party to perform independent testing and quality assurance for E-\n   SPAN. The Corporation has prepared a request for quotation (RFQ) for these\n   services that includes high-level requirements. But, the Corporation does not have a\n   specific methodology nor documented performance criteria for quality assurance and\n   validation testing.\n\n   The SEI capability maturity model for software engineering and COBIT specifically\n   address the value of having general and specific guidelines for quality assurance and\n   testing. COBIT detailed control objective PO1 1.2, for example, states: Management\n   should establish a standard approach regarding quality assurance that covers both\n   general and specific quality assurance activities." Furthermore, detailed control\n   objective PO1 1.18 indicates management "should define and use metrics to measure\n   the results of activities, thus assessing whether quality goals have been achieved."\n\n   KPMG did not observe the existence of consolidated documentation that meets these\n   standards and believes that lack of a specific quality assurance and testing\n   methodology could lead to a higher likelihood of testing not detecting all potential\n   problems, and also, of not being efficiently repeatable in the future.\n\n   It is recommended that the Corporation develop or adopt a specific quality assurance\n   and testing methodology for the new E-SPAN system that is consistent with\n   applicable standards and accepted best practices, such as those established by CMM\n   and COBIT. It is also recommended that performance criteria and guidelines be\n   developed that specify how a third-party provider of quality assurance and testing\n   services will be required to carry out its activities, document its observations and\n   communicate its recommendations.\n\x0cOffice of Inspector General\nCorporation for National Service\nPage 5\n\n       Finding 2: Testing Plan for E-SPAN Application Security and Internal\n       Controls. The Corporation has addressed the security of E-SPAN in its system\n       development process, but has not documented criteria for testing and re-testing\n       specific data integrity controls and application security controls during the phased\n       implementation of the new E-SPAN system and also at later points in the\n       system\'s life cycle.\n\n       Standards that espouse the value of well-planned and documented testing of\n       application security and controls include NIST Special Publication 800-27,\n       Engineering Principles for Information Technology Security ( A Baseline for\n       Achieving Security) (NIST 800-27) and COBIT. NIST 800-27 (principle 13) calls\n       for providing assurance that a system is, and continues to be, resilient in the face\n       of expected threats. COBIT detailed control objective M2.2, which says:\n       "Operational security and internal control assurance should be established and\n       periodically repeated, with self-assessment of independent audit to examine\n       whether or not the security and internal controls are operating according to the\n       stated or implied security and internal control requirements."              This is\n       complemented by detailed control objective A15.10 (part of the high-level\n       objective, AI5, covering installation and accreditation of systems) states,\n       "Management should define and implement procedures to ensure that operations\n       and user management formally accept the test results and the level of security for\n       the systems, along with the residual risk."\n\n       Because the implementation of E-SPAN is expected to extend in stages over\n       approximately a year and a half, the ability to repeat key quality assurance testing\n       steps when new software modules are integrated with operational ones will be\n       essential. Lack of a clear, documented plan and criteria for testing specific E-\n       SPAN application security and internal controls could lead to failure to detect\n       control weaknesses.\n\n       It is recommended that the Corporation document criteria for testing specific\n       application security and internal controls to be used for both initial and on-going\n       quality assurance and validation testing of E-SPAN. The criteria should\n       encompass security and internal controls for the new grants management\n       application, and other interfacing applications, such as Momentum.\n\n       Finding 3: E-SPAN Lifecycle Management and Support Planning. An option\n       in the Corporation\'s contract with STR provides for three months of operational\n       support for E-SPAN. The Corporation has not documented a system life cycle\n       maintenance and operation plan for E-SPAN beyond that initial three months of\n       system operation.\n\x0cOffice of Inspector General\nCorporation for National Service\nPage 6\n\n       OMB Circular A- 130, Management of Federal Information Resources, requires\n       government agencies to have an information system life cycle plan.         Also,\n       COBIT detailed control objective DS13.1 states, "IT management should\n       establish and document standard procedures for IT operations (including network\n       operations). All IT solutions.and platforms in place should be operated using\n       these procedures, which should be reviewed periodically to ensure effectiveness\n       and adherence."\n\n       Not having a plan for maintaining the software, controlling modifications and\n       providing a controlled operational environment for the application could have a\n       negative effect on the efficient, effective management of E-SPAN.\n\n       It is recommended that the Corporation develop a system life cycle management\n       strategy and plan for operation and maintenance of the E-SPAN system\n       throughout its expected operational lifespan while personnel with detailed\n       knowledge of the system design are still available. The Corporation should\n       ensure the plan is consistent with applicable life cycle management guidance in\n       OMB Circular A- 130.\n\nAppendix A discusses the current grants management processing environment.\nAppendix B provides an overview of the E-SPAN system development project.\nAppendix C presents the assessment observations and recommendations.\n\nWe conducted our audit in accordance auditing standards generally accepted in the\nUnited States of America and the standards applicable to performance audits contained in\nGovernment Auditing Standards, issued by the Comptroller General of the United States.\n\nDistribution\n\nWe provided a draft of this report to the Corporation. The Corporation\'s response to our\nreport is included as Appendix D.\n\nAs required by the Government Corporation Control Act, this report is intended solely for\nthe information and use of the United States Congress, the President, the Director of the\nOffice of Management and Budget, the Comptroller General of the United States, the\nCorporation for National and Community Service and its Inspector General, and is not\nintended to be and should not be used by anyone other than these specified parties.\n\x0cAppendix A\n\x0c                                                                           Appendix A\n\n\n\n           Our Understanding of Current Grants Management Processes\n\nThis appendix provides an illustrative, high-level view of the Corporation\'s processes for\nthe review and approval of grant applications, and the systems that are currently used by\nthe Corporation in the grants administration process.\n\nAmeriCorps, Learn and Serve, and State and Local Commissions Grants\n\nThe processing of a grant application begins when a new application from a state/local\noffice arrives at the Program and Planning Integration (PPI) Office. This office\ndistributes the applications to the appropriate Program and Grants Offices. In the Grants\noffice, personnel manually assign each grant application a 10-digit grant number, and\nenter the grant application information into the Grantsbase system. Grantsbase is a small\nsystem used in the grants review process to generate grant documents and modifications,\nand track financial reporting for authorized National and Community Service Act\nprograms.\n\nThe application itself is put through the Grant Application Review Process (GARP).\nThe Program and Grant offices develop a report and recommendation for the Board of\nDirectors. One of the criteria for a recommendation of approval is that the grant be\nwithin previously established budget limitations. When approved by the Board of\nDirectors, the grant application goes back to the Program and Grants offices for\nnegotiation with the grantee. The Program office then creates a Certification for Funding\nthat requires the signatures of the Program Officer and Director. When signed, the\nCertification is sent to the Grants office. After the signed Certification of Funding comes\nback from Accounting, the Certifying Officer requests that a grant account be created and\nan obligation established in Momentum. A grants specialist manually enters the\nobligation in Momentum. Momentum subsequently connects to the HHS Payment\nManagement System (PMS) to establish a grant authorization. The Grantee is able to\ndraw grant funds within the authorized limits directly from HHS.\n\nThe current grants management processes intersperse manual and automated processing.\nThe approval and authorization process requires forms to be downloaded, signed, and\nforwarded to the respective offices. There is an electronic interface between Momentum\nand HHS-PMS, but there is no electronic interface between Grantsbase and Momentum.\nInformation about the initial grant also flows from Grantsbase to both the Web-Based\nReporting System (WBRS), and the System for Programs, Agreements and National\nService Participants (SPAN). The Grantsbase information aids in setting up the initial\ngrant information for progress reporting in WBRS and for related trust accounts in\nSPAN. But, updated information on subsequent modifications to the grant is entered\nmanually into these systems, and does not flow from Grantsbase.\n\n\n\n\n                                         Page A- 1\n\x0c                                                                                                  Appendix A\n\n\n\n\n*\n                                    Grants Manaaement Process\n                  (For Amerrcorps, Learn a n d Serve, a n d State a n d L o c a l Commissions Grants)\n\n\n\n\n w  Apphcation                               C e r t ~ f ~ c a for\n                                                Fundmg\n                                                               te\n                                                                            Grant\n                                                                         Approved on\n                                                                         Paper, Setup\n                                                                        In M o m e n t u m\n                                                                         and Entered\n                                                                                                        Fmanclal\n                                                                                                        System\n\n\n\n\n                                                                      .1.\n     Plannin                                                             G rantsbase\n\n\n\n\n  Perform G A R P\n(Grant A p p l ~ c a t ~ o n                 Negotiate w ~ t h\n R e v ~ e wProcess)                                                     Grant Award\n\n\n\n\n                               Application\n                                 Report\n                                                                            Grant                    Grant\n                                                                         Inform ation             lnformation\n\n\n\n\n    Application\n\n\n\n\n             Figure A l : Current NCSA Grants Management Process Illustration\n\n\n\n\n                                                         Page A-2\n\x0c                                                                              Appendix A\n\n\n\nSenior Corps Program Grants\n\nThe processing of a grant application begins when a grantee submits a grant request to\nthe CNS State Office. The grantee is often the State Commission which itself has\nmultiple sub-grantees. The State Office Director, who has programmatic responsibility\nfor the grant request, reviews the request, and signs giving his approval. It is then\nforwarded to the regional CNS Service Center.\n\nThe Service Center has financial management responsibility for the grant request. The\nService Center has previously been given a budget for these types of grants by CNS\nheadquarters. The Service Center Budget Officer verifies and signs off that funds are\navailable. The Service Center Director then gives his approval by signing the request.\n\nThe request is then goes to one of several Service Center grants clerks, each of which\nworks with multiple state offices. The actual document for the grant request is a\nProcurement Request form, because that is how the accounting system, Momentum,\nprocesses it. Coding information in certain fields differentiates a grant from\nProcurement Requests for supplies and services.\n\nThe grants clerk enters the grant request information to Momentum as a commitment.\nThis signifies that that there has been "Grant Award Approval". The grants clerk then\nenters an obligation into Momentum. It creates a "Notice of Grant Award", and begins\nan automated process that transmits information to the HHS Payment Management\nSystem authorizing HHS to make payments to the grantee without further approvals by\nCNS. The Notice of Award document is printed by the system, and signed by the grants\nclerk.\n\nThe grants clerk next enters the grant request information into "Grants Module". Grants\nModule contains the standard Terms and Conditions that are used for all SCP grants. The\nTerms and Conditions are printed out to accompany the Notice of Grants Award.\n\nThe standard cover letter for the Notice of Grant Award is provided by headquarters as an\nMS Word document. It is printed out and placed together with the Notice of Award and\nthe Terms and Conditions in a folder. Two copies of this set of documents are sent to the\ngrantee. One set is sent to the State Office, and one set is retained in Service Center files.\n\nDraw downs against the grant are monitored by using the Momentum Grant Status\nReport. The draw downs are considered to be an advance until the Grantee submits a\nFinancial Status Report (FSR) explaining the actual use of the funds. Once an FSR or\nelectronic equivalent are received, the funds previously advanced become an expenditure.\n\n\n\n\n                                           Page A-3\n\x0c                                                                                                Appendix A\n\n\n\n\n                                 Grants Manaaement Process\n\n\n\n\n                             4           G r a E e r k\n                                                                                         MOMENTUM\n\n\n\n                         1I II\n                                        Commitment\n\n\nI/   s t a t e Office\n         Director\n     Review and\n                                    1     (Grant\n                                         Approval)\n\n\n        Approval\n                                    7\n                                    \'l\n\n                                         C N S Service\n                                            Center\n                                         Grants Clerk\n                                            Enters\n                                          Obligation\n         Budget\n                                          (Noitice of\n     Officer F u n d s\n                                            Grants\n      Availability\n                                            Award)                                                    Grantee\n                                                                                                      Payment\n                                                                                                      Requests\n\n                                                               1   N o t i c e of G\n                                                                           Award\n\n\n\n\n                                                             1\n       Director\n       Approval                          G r a n t s Clerk\n                                         Enters Grant                                        Module\n                                         Inform ation\n\n\n\n\n                                                                      C o v e r Letter\n\n\n\n\n     Figure A2: Current DVSA Grants Management Process Illustration\n\n\n\n\n                                                    Page A-4\n\x0cAppendix B\n\x0c                                                                          Appendix B\n\n\n\n\n    Our Understanding of the Grants Management System Development Project\n\nMultiple pieces of legislation, enacted at different times, have established a variety of\nprograms with different requirements, and different methods for administration. For this\nand other historical reasons, the Corporation has evolved a variety of processes and\nsystems to manage its grants programs (i.e., AmeriCorps, VISTA, Learn ands Service\nAmerica, and the National Senior Service Corps). The systems that have evolved to\nsupport the programs have different procedures and data file structures, and are not well\ndocumented. They require manual intervention, manual controls and redundant manual\ndata entry. Inefficiencies and shortcomings, such as these, led the Corporation, with\nCongressional approval, to initiate the project to develop a new, integrated grants\nmanagement system, E-SPAN.\n\nE-SPAN will integrate the various formerly distinct systems and processes, and interface\nwith Momentum. It will be a Web-based system developed using Oracle and Case tools\nthat work with the Oracle8i software.\n\nIn July 2000, the Corporation selected STR to design E-SPAN. In January 2001, STR\nwas also selected to develop and implement E-SPAN, with a "go live" date estimated to\nbe approximately April 2002. A partial list of the tasks STR has performed or will\nperform for development and implementation of E-SPAN includes: conducting a detailed\ndesign review, developing forms and reports, mapping databases, conducting incremental\ntesting, installing databases, conducting a complete system test with Corporation staff,\ndeveloping training materials, training Corporation help desk and field staff, and\ndeveloping a user\'s manual.\n\nAlthough STR has the responsibility for system development and implementation, the\nCorporation plans to also contract with an independent third party for testing services.\nThese services will provide the Corporation independent quality assurance and testing of\nE-SPAN.\n\n\n\n\n                                        Page B-1\n\x0cAppendix C\n\x0c                                                                                                                 Appendix C\n\n\n\n                                        Assessment Summary for the E-SPAN Project\n\nThe table below presents observations, recommendations, and a risk rating for each control area in the assessment.\n\n\n\n  Proiect Control Area\n Project Sponsorship     As one of the largest software              There are no recommendations for     Low        NIA\n                         development undertakings in the             this control area.\n                         Corporation\'s history, the E-SPAN\n                         project has sponsorship from senior\n                         management and congressional funding.\nSteering Committee       Corporation senior management               There are no recommendations for     Low        NIA\nLeadership               provides active oversight of the project,   this control area.\n                         for example by participating in weekly\n                         status meetings. Through these\n                         meetings, as well as close involvement\n                         in the development effort, key managers\n                         stay abreast of new issues, outstanding\n                         issues, and project status.\nStakeholder              Program groups with a stake in the          There are no recommendations for     Low        NIA\nInvolvement              functionality that E-SPAN will deliver      this control area.\n                         are represented in the design,\n                         development and implementation\n                         process. In addition, the Corporation\n                         has carried presentations about E-SPAN\n                         functionality to groups that will use the\n                         new system.\n\n\n\n\n                                                               Page C-l\n\x0c                                                                                                            Appendix C\n\n\n\n\nProject Management   A project management           structure   The Corporation should prepare        Low       N/ A\nOffice               specific to E-SPAN is documented in        guidelines for how the third party\n                     the STR RFQ response. It includes          provider of quality assurance and\n                     procedures for having a project plan7      testing services will document\n                     staffing plan, budget, and project         application development and\n                     schedule. The Corporation and STR          implementation issues and will work\n                     work closely together to carry out         wiih the Corporation and STR to\n                     project management office duties, but a    resolve any observed defects in the\n                     project management office similar to       new grants management system.\n                     what might be part of a larger-scale\n                     application development and\n                     implementation effort has not been\n                     formally defined. STR uses various\n                     project management tools, including a\n                     finance and account system audited by\n                     DCAA.\n                     Introduction of an independent third-\n                     party test services provider into the E-\n                     SPAN project will introduce one\n                     challenge normally handled by a formal\n                     project management office,\n                     coordinating multiple vendors.\n                     Specifically, the Corporation has not\n                     documented a plan for coordinating\n                     collaboration between its stakeholders,\n                     STR, and a third party provider of\n                     quality assurance and testing services,\n                     in the context of identifying,\n                     documenting, and resolving any defects\n                     in the new grants management system\n                     that may be observed.\n\n                                                          Page C-2\n\x0c                                                                                                                      Appendix C\n\n\n\n\nProject Team             Corporation staff who are involved with      The Corporation should identify skill     Low        NlA\nComposition and Skills   the E-SPAN project appear to be senior       sets that will be required of both\n                         professionals with an understanding of       contractor personnel who will\n                         their functional areas. STR\'s personnel      perform testing of E-SPAN and\n                         seem to possess sufficient technical         Corporation staff who will oversee\n                         qualifications, adequate experience, and     this effort. The Corporation should\n                         a track record on complex projects.          ensure technical staff who will\n                                                                      participate in testing possess adequate\n                         In discussions concerning the rationale      skills or receive training in key areas\n                         for employing an independent third           prior to the commencement of testing\n                         party to test E-SPAN, one reason             activities.\n                         offered concerned Corporation staff\n                         lacking the requisite complement of\n                         skill sets to carry out the effort as an\n                         internal project.\nStatus Reporting         STR and the Corporation meet every           There are no recommendations for          Low        NIA\n                         week to discuss the status of the project.   this control area.\n                         STR provides monthly status reports to\n                         the Corporation. A report identifies\n                         work planned for the next month and\n                         any problems, changes, risks, or\n                         requirements that may require the\n                         Corporation\'s attention.\n                         Documentation of status briefings and\n                         reports consistently track progress and\n                         the history of issues.\n\n\n\n\n                                                                Page C-3\n\x0c                                                                                                       Appendix C\n\n\n\n\nIssues Management   Issues are logged, discussed, and         There are no recommendations for   Low       N/A\n                    resolved during the project and through   this control area.\n                    weekly status meetings. Meeting\n                    summaries serve as a log of issues\n                    consideration and resolution.\nConfiguration       STR keeps code in an Oracle Designer      There are no recommendations for   Low       N/A\nManagement          Repository and takes steps to reuse code this control area.\n                    where possible. Adequate steps to\n                    maintain configuration information are\n                    being taken. The information tracked\n                    includes the purpose of the code, the\n                    location, the description and the author.\n\n\n\n\n                                                         Page C-4\n\x0c                                                                                                                           Appendix C\n\n\n\n\n  Proiect Control Area                 Observations                             Recommendations                  Risk Rating    Finding\n~              ~ andl\n       ~A~~~~~~~~        Thei Corporation\n                                   ~       ~has worked closely       It is recommended that the                   Medium       F i n d i n ~1\nTesting                  with its contractor, STR LLC, to            Corporation develop or adopt a\n                         perform ongoing testing of E-SPAN           specific quality assurance and testing\n                         during the system\'s development.            methodology for the new E-SPAN\n                         Testing requirements are built into         system that is consistent with\n                         STR\'s responsibilities, and the stepwise    applicable standards and accepted\n                         development approach being taken for        best practices, such as those\n                         E-SPAN incorporates incremental             established by CMM and COBIT. It\n                         testing and other testing efforts. In       is also recommended that\n                         addition, Corporation management has        performance criteria and guidelines be\n                         stated they plan to contract with a third   developed that specify how a third-\n                         party to perform independent testing        party provider of quality assurance\n                         and quality assurance for E-SPAN. The       and testing services will be required\n                         Corporation has prepared a request for      to carry out its activities, document its\n                         quotation (RFQ) for these services that     observations and communicate its\n                         contains high-level requirements. But,      recommendations.\n                         the Corporation does not have a specific\n                         methodology nor documented\n                         performance criteria for quality\n                         assurance and validation testing.\n\n\n\n\n                                                               Page C-5\n\x0cEIdd                                                                                                                  Appendix C\n\n\n\n\n Proiect Control Area                Observations                            Recommendations\nApplication Security    Application security and internal         Because the implementation of E-           Medium      Finding 2\nand Internal Controls   controls have been considered during E- SPAN is expected to extend in stages\n                        SPAN development and have been a          over approximately a year and a half,\n                        topic of importance in the effort. STR    the ability to repeat key quality\n                        has made concrete recommendations for     assurance   testing steps when new\n                        strengthening access control, and         software  modules    are integrated with\n                        Corporation managers describe             operational ones will be essential. It\n                        application security and internal control is recommended that the Corporation\n                        as areas of continuing focus. However, document criteria for testing specific\n                        the Corporation has not documented        application security and internal\n                        criteria for testing and re-testing       controls to be used for both initial and\n                        specific data integrity controls and      on-going quality assurance and\n                        application security controls to be used  validation testing of E-SPAN.\n                        during the phased implementation of the\n                        new E-SPAN system and also at later       The criteria should encompass\n                        points in the system\'s life cycle.        security and internal controls for the\n                                                                  new grants management application,\n                                                                  and other interfacing applications,\n                                                                  such as Momentum.\n\n\n\n\n                                                             Page C-6\n\x0c                                                                                                             Appendix C\n\n\n\n\nKnowledge Transfer   STR will develop user manuals and       The Corporation should work closely       Low       NIA\n                     other necessary documentation by the    with STR, as manuals are developed,\n                     completion of the project.              to determine that documentation will\n                                                             satisfy the needs of end users. To this\n                                                             end, business groups should provide\n                                                             input during the development of\n                                                             manuals.\n\n                                                             Along with other "as built"\n                                                             documentation, an "as built" design\n                                                             document should be prepared by the\n                                                             contractor before the system is\n                                                             accepted. The "as built" design\n                                                             document should clearly show all\n                                                             system controls that ensure the\n                                                             security, privacy, and integrity of the\n                                                             data in the system (accuracy,\n                                                             completeness, timeliness, etc.).\n\n\n\n\n                                                        Page C-7\n\x0c                                                                                                                       Appendix C\n\n\n\n\nLifecycle Maintenance   An option in the Corporation\'s contract     It is recommended that the                Medium      Finding 3\n                        with STR provides for three months of       Corporation develop a system life\n                        operational support for E-SPAN. The         cycle management strategy and plan\n                        STR support will include training on an     for operation and maintenance of the\n                        as-needed basis, technical fixes,           E-SPAN system throughout its\n                        database changes, and documentation         expected operational lifespan while\n                        updates. The Corporation has not            personnel with detailed knowledge of\n                        documented a system life cycle              the system design are still available.\n                        maintenance and operation plan for E-       The Corporation should ensure the\n                        SPAN beyond the initial three months        plan is consistent with applicable life\n                        of system operation.                        cycle management guidance in OMB\n                                                                    Circular A-1 30.\nTraining                STR will provide training to                The Corporation should leverage            Low          N/A\n                        Corporation staff, and also work with       training and training materials\n                        key stakeholders in a "train the trainer"   provided by STR into knowledge\n                        capacity at key points during the           capital that will serve future training\n                        project.                                    needs of Corporation field personnel\n                                                                    and help desk personnel.\n\n\n\n\n                                                               Page C-8\n\x0cAppendix D\n\x0c                                     Memorandum\n\n                                                                                       CORPORAf ION\n                                                                                       FOR NAT10NAL\n                                                                                              A m   -\n                                                                                       COMMUNITY\n\n\n      To:      Terry E. Bathen\n               Deputy Inspector General for Audit\n\n  From:        David N. Spevacek\n               Chief Information Officer            \'W\n\n   Date:       March 18,2002\n\nSubject:       Audit Report 02-22, Letter Report Regarding Assessment of Project Risks Related\n               to the Corporation for National and Community Service\'s Development of a\n               Grants Management System.\n\n\nWe are pleased that the KPMG assessment found that the Corporation is adequately managing\nthe development of the eGrants system and that the risks inherent in this effort, therefore, are\ngenerally low. We do not disagree with the findings noted in the review and welcome the\nopportunity to outline the steps currently being taken to mitigate those risks.\n\nThe Corporation has engaged a company, not involved in the development of eGrants, to design\na testing program, develop testing scripts that can be used now and in the future, and perform\nindependent testing. This contract specifically addresses the first two of the three described\nrisks:\n\n       The Corporation should develop or adopt a specific quality assurance and testing\n       methodology for the new E-SPAN system.. .\n\n       The Corporation should document criteria for testing specific application security and\n       internal controls to be used for both initial and on-going quality assurance validation\n       testing of E-SPAN.\n\nThe Corporation\'s quality assurance and testing contractor is currently developing a project plan\nand beginning to develop test scripts. We are working closely with that contractor to make sure\nthat the product of this effort addresses the risks identified by KPMG.\n\x0cKPMG\'s third finding is as follows:\n\n       The Corporation should develop a system life cycle management strategy and plan for\n       operation and maintenance of the E-SPAN system throughout its expected operational\n       lifespan while personnel with detailed knowledge of the system design are still available.\n\nThe eGrants system was developed within the context of the Corporation\'s existing Structured\nSystems Development Life Cycle Methodology (Policy #378). All major systems development\nis done using the full selection of ORACLE development tools. All system functionality will be\navailable and understandable to any software developer, even someone completely unfamiliar\nwith the system. The SPAN system has been operating under this life cycle strategy for several\nyears. The Corporation is revising its on going ORACLE support contract to include the\nexpected additional ORACLE expertise required by this new system. Throughout the\ndevelopment of the system, the Corporation and the system developer have maintained a list of\nitems that were not in the initial design but that need to be considered in the next version of the\nsoftware. That list is the start of an on going maintenance plan. For the last nine months, the\nCorporation has had internal conversations about staffing and related on going costs of the\nsystem. The very difficult administrative funding situation of the Corporation has meant firm\ndecisions have not been possible.\n\nKPMG is correct, the Corporation needs to take all of the above and put it into a single plan that\nwill be available to anyone, including outside auditors. We plan to develop such a plan in later\nthis calendar year.\n\nWe would like to thank the Office of the Inspector General and the staff of KPMG for their\nprofessional attention and their thoughtful insights into development project.\n\x0c'